1996-04-05 - Re: software with “hooks” for crypto

Header Data

From: Howard Melman <melman@osf.org>
To: cypherpunks@toad.com
Message Hash: 4aca47eae1fbe4259b3865dd6cbd8520959b5d53573c93e48f87bedde48d3c99
Message ID: <9604041614.AA04108@absolut.osf.org.osf.org>
Reply To: <2.2.32.19960403145406.0034a4d4@labg30>
UTC Datetime: 1996-04-05 00:26:48 UTC
Raw Date: Fri, 5 Apr 1996 08:26:48 +0800

Raw message

From: Howard Melman <melman@osf.org>
Date: Fri, 5 Apr 1996 08:26:48 +0800
To: cypherpunks@toad.com
Subject: Re: software with "hooks" for crypto
In-Reply-To: <2.2.32.19960403145406.0034a4d4@labg30>
Message-ID: <9604041614.AA04108@absolut.osf.org.osf.org>
MIME-Version: 1.0
Content-Type: text/plain



On Wed Apr 3, 1996, John Deters wrote:

> At 02:31 PM 4/2/96 -0800, you wrote:
> >Hello all,
> >
> >I'm trying to figure out exactly what the laws are regarding the export of
> >software which contains "hooks" for PGP.  In various forms, I've heard
> >that it's not the ITAR which prevents this, but more a "suggestion" by
> >the NSA that we "shouldn't do it."  Does anyone have any pointers to
> >real legislation/laws regarding this?
> 
> There are a number of "PGP Helpers" (If this is Tuesday, it must be PGP) out
> there.  These are other PGP front end applications such as Private Idaho,
> PGPShell and others that do NOT include PGP, nor do they contain any
> encryption code within them.  These applications are all billed as "freely
> exportable".  If your software does not contain any encryption code, such
> that it simply "invokes" the users separately-obtained-and-installed copy of
> PGP, you are not in violation of ITAR.  It sounds like this is what you're
> doing with your "hooks for PGP".

I am not a lawyer.

Hooks to encryption code have *sometimes* been considered
"ancillary devices" and as such are in violation of ITAR.

Calling another executable like pgp *might* be less of an
issue than having source code hooks that call crypto library
routines, but maybe not.  (And no I don't understand why
they would be different)

NCSA had something related to this in their use of PEM/PGP
in httpd.  See some info at:  

  http://hoohoo.ncsa.uiuc.edu/docs/PEMPGP.html

which says:

  Note: As of NCSA HTTPd 1.4.1, support for PEM/PGP encryption
  was removed in order to bring NCSA in compliance with the
  Internation Treaty on Arms Reduction to which the United
  States of America is a signatory. We hope to have an
  improved version available with NCSA HTTPd 1.5 from an
  export controlled server.

In sum, check with a lawyer.

Howard





Thread